Please be advised that any change in the SSH-Settings of your server might
cause problems connecting to the server or starting/reloading the SSH-Daemon
itself. So every time you configure your SSH-Settings on a remote server via
SSH itself, ensure that you have a second open connection to the server,
which you can use to reset or adapt your changes!

By changing the default TCP listening port, we avoid thousands of malicious
login attempts every day.

Note

Changing the TCP listening port is not a security feature, but keeps
our logs more readable by avoiding this kind of junk.

It also helps, if you have multiple servers in your LAN behind a NAT.

The following small bash shell script will choose a random TCP port, which is
unlikely to interfere with other services on your server:

$ shuf -i 49152-65535 -n 163508

Add this port to your configuration:

# SSH server configuration file# See the sshd_config(5) manpage for details# On which TCP ports we listen for SSH client connectionsPort 63508# On which interfaces and IP addresses we listen for SSH client connections#ListenAddress ::#ListenAddress 0.0.0.0

There will be SSH connections out of the server to other SSH servers (i.e. for
storing backups or accessing remote files). In that case, the server-system acts
as a client to a remote SSH server. Therefore also a “server” needs a well
configured SSH client.

If you domain is not secured with DNSSEC, you should NOT use this
feature, as the information received by the clients over DNS can not be
trusted.

The hash of the SSH server keys can be published in DNSSEC secured domains.

By publishing a fingerprint of your SSH server public keys in DNS, connecting
clients can verify the server identity, without the need to distribute and
update your server public keys on all clients.

As of now RSA and ed25519 keys can both be published in DNS according to the
IANA assignments DNS SSHFP Resource Record Parameters.
But OpenSSH isn’t ready to read and check ed25519 fingerprints from DNS. The
message “Error calculating host key fingerprint.” will be displayed and keys
need to be manually accepted.